dnssec-tools.org DNSSEC Outage: 2016-10-24 to 2016-10-25

Updated: October 25, 2016

Overview

This page gives some details on the dnssec-tools.org DNSSEC outage from October 24 to October 25, 2016.

Timeline / DNSViz

2016-10-24 22:02:36 UTC — RRSIGs expire
2016-10-24 22:02:58 UTC — expired RRSIGs
2016-10-24 22:03:27 UTC — expired RRSIGs
2016-10-24 22:04:28 UTC — expired RRSIGs
2016-10-24 23:53:06 UTC — expired RRSIGs
2016-10-25 03:55:49 UTC — expired RRSIGs
2016-10-25 08:09:36 UTC — expired RRSIGs
2016-10-25 10:26:46 UTC — expired RRSIGs
2016-10-25 12:02:07 UTC — expired RRSIGs
2016-10-25 12:02:21 UTC — expired RRSIGs
2016-10-25 15:22:51 UTC — last personally observed DNSSEC failure
2016-10-25 16:55:33 UTC — DNSSEC outage over

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from October 24, 2016:

October 24, 2016 dnssec-tools.org DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under dnssec-tools.org during this outage.

$ dig www.dnssec-tools.org @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> www.dnssec-tools.org @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2377
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-tools.org. IN A

;; ANSWER SECTION:
www.dnssec-tools.org. 300 IN CNAME dnssec-tools.org.
dnssec-tools.org. 205 IN A 64.90.35.104

;; Query time: 24 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Oct 24 22:04:22 2016
;; MSG SIZE rcvd: 68

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec www.dnssec-tools.org @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.dnssec-tools.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10785
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.dnssec-tools.org. IN A

;; Query time: 218 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Oct 24 22:04:22 2016
;; MSG SIZE rcvd: 49

dnscheck

dnscheck.labs.nic.cz shows expired RRSIGs (requires javascript).
dnscheck.iis.se shows expired RRSIGs (requires javascript).

Zonemaster

zonemaster.net archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."
zonemaster.fr archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

Logfile examples

[1477353045] unbound[1232:0] info: validation failure <dnssec-tools.org. A IN>: signature expired from 168.150.236.43 for key dnssec-tools.org. while building chain of trust
[1477408971] unbound[28574:0] info: validation failure <www.dnssec-tools.org. A IN>: key for validation dnssec-tools.org. is marked as invalid because of a previous validation failure <dnssec-tools.org. A IN>: signature expired from 75.101.48.145 for key dnssec-tools.org. while building chain of trust